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Abstract 
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over  an  unreliable  underlying  network.  Formal  specifications  are  given  for  reliable  and  unreliable 
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1  Introduction 


Modern  computers  do  not  usually  operate  in  isolation,  but  are  connected  to  other  computers  by  data 
communication  media.  Networking  software  is  provided  to  enable  users  and  application  programs 
located  at  different  machines  to  interact.  This  software  is  often  complicated  -  in  fact,  it  sometimes 
occupies  more  of  the  resources  used  by  system  software  than  does  the  operating  system  kernel. 
In  order  to  control  the  complexity  of  networking  software,  and  also  to  enable  different  machines 
in  a  network  to  run  different  networking  software,  a  layered  architecture  is  often  used.  There 
are  many  different  layered  architectures  in  use  in  proprietary,  governmental,  and  international 
networks  [20,  19,  6,  14].  While  the  exact  choice  of  function  for  each  layer  differs  in  the  various 
networks,  the  general  framework  is  always  the  same:  each  layer  acts  according  to  a  protocol  that 
uses  the  services  of  the  next  lower  layer,  in  order  to  provide  enhanced  features.  For  example,  in 
the  OSI  architecture,  the  network  layer  uses  a  service  providing  reliable  communication  between 
directly  connected  machines,  and  provides  communication  between  machines  that  are  connected 
only  indirectly.  A  general  account  of  layering  can  be  found  in  [16]. 

Reliable  delivery  of  information  is  one  important  service  that  is  provided  in  at  least  one  layer  in 
most  layered  networks.  For  example,  the  HDLC  protocol  for  the  data  link  layer  of  the  OSI  architec¬ 
ture  [20]  provides  reliable  transfer  of  data  between  directly  connected  machines,  using  the  physical 
layer  service  of  an  unreliable  bit  channel:  the  physical  layer  can  generally  corrupt,  lose  or  duplicate 
messages,  but  the  HDLC  protocol  guarantees  exactly-once,  FIFO  delivery.  In  layered  architectures, 
data  corruption  is  often  detected  using  checksums,  and  the  loss  of  a  message  is  compensated  for  by 
retransmission.  Such  retransmissions  can  lead  to  the  arrival  of  duplicate  messages.  Since  a  reliable 
service  must  not  pass  duplicate  messages  to  the  higher  layers,  each  message  is  usually  tagged  with  a 
sequence  number,  which  is  also  mentioned  in  the  corresponding  acknowledgment.  Many  algorithms 
have  been  developed  based  on  these  ideas,  such  as  the  Alternating  Bit  Protocol  [3],  in  which  only 
the  low  order  bit  of  the  sequence  number  is  actually  used.  Common  protocols  such  as  HDLC  use 
these  algorithms. 

Protocols  based  on  tagging  messages  with  a  sequence  number  require  each  end  station  to  re¬ 
member  the  current  sequence  number.  If  this  information  is  kept  in  volatile  storage,  and  if  a  crash 
destroys  that  storage  at  one  station,  then  the  protocol  will  be  restarted  at  that  station  in  its  initial 
state,  and  therefore  will  assign  sequence  number  1  (as  initially)  to  the  next  message.  If  the  other 
station  were  still  expecting  a  different  sequence  number,  the  first  message  after  the  crash  might  not 
be  delivered.  (It  might  be  treated  like  a  retransmission  of  a  previous  message  and  ignored.)  Thus, 
some  mechanism  is  needed  in  the  protocol  for  one  station  to  cause  the  other  to  also  reinitialize  its 
sequence  number. 

One  such  mechanism  is  for  the  station  on  the  machine  that  has  crashed  to  send  a  special  control 
message  to  the  other  station.  (In  HDLC  this  is  a  “Set  Normal  Response  Mode”  (SNRM)  message.) 
When  this  control  message  is  received,  the  other  station  reinitializes  its  sequence  number  and  other 
data  structures.  The  control  message  is  acknowledged  by  its  recipient,  and  data  messages  (or  data 
acknowledgments)  are  sent  by  the  station  on  the  crashed  machine  only  after  the  reinitialization 
acknowledgment  has  been  received.  Of  course,  the  reinitialization  message  itself  might  be  lost; 
to  handle  this  possibility,  the  crashed  station  uses  a  timeout  to  determine  when  to  resend  the 
reinitialization  message.  The  HDLC  reinitialization  protocol  is  based  on  the  ideas  just  sketched. 
In  [4],  Baratz  and  Sega-!  examine  this  protocol,  and  find  it  to  be  incorrect  in  that  reliable  delivery 


2 


is  not  guaranteed  even  for  messages  sent  after  reinitialization  has  completed  That  is,  it  is  pos  ible 
for  a  pattern  of  failure  and  message  delay  to  cause  an  execution  of  the  protocol  in  which  a  sequ<=  ce 
of  data  items  i6  accepted  from  the  higher  layer  at  one  end  after  reinitialization,  but  the  sequent: 
delivered  at  the  other  end  is  different. 

In  [4],  Baratz  and  Segall  present  an  alternative  mechanism  for  reinitializing  the  sequence  num¬ 
bers  and  other  data  structures;  their  mechanism  is  applicable  to  a  wide  range  of  reliable  coramu 
ideation  protocols.  Their  method  involves  tagging  the  reinitialization  control  messages  and  their 
acknowledgments  with  a  bit  whose  value  alternates  between  reinitialization  episodes.  This  bit  must 
be  remembered  across  crashes,  and  therefore  it  cannot  be  stored  in  volatile  memory.1  Baratz  and 
Segall  conjecture  that  some  non-volatile  storage  is  needed  in  any  protocol  that  reinitializes  values 
so  as  to  provide  reliable  data  transfer  after  reinitialization  has  completed.  This  paper  is  devoted 
to  formalizing  this  impossibility  claim  and  proving  it  rigorously. 

Formal  correctness  proofs  for  particular  communication  protocols  are  fairly  common  in  the 
study  of  computer  networks,  but  there  are  few  examples  so  far  of  impossibility  results.  A  survey 
of  such  results  in  distributed  computation  can  be  found  in  [9].  Proving  an  impossibility  result 
requires  a  formal  model  for  specifications  in  which  one  can  describe  the  task  being  considered,  a 
formal  model  for  implementations  in  which  one  can  express  any  conceivable  protocol  to  perform 
the  given  task,  and  a  definition  of  when  a  protocol  (as  described  in  the  model),  is  correct  according 
to  a  specification  (as  described  in  the  model).  In  this  paper  we  use  the  input/output  automaton 
model  from  [11,  12]  for  these  purposes. 

In  order  to  state  an  impossibility  result  in  the  strongest  form,  one  should  specify  the  task  to  be 
performed  in  as  weak  a  fashion  as  possible;  that  is,  the  specification  should  place  few  requirements 
on  the  protocol.  (Of  course,  the  task  must  not  be  described  so  weakly  that  it  becomes  possible  to 
accomplish  it!)  In  this  paper,  the  task  is  reliable  data  communication  using  the  unreliable  service 
of  a  lower  layer.  We  use  a  weak  specification  for  reliable  data  communication,  which  states  that 
each  message  is  delivered  at  most  once,  and  that  every  message  sent  after  the  iast  crash  is  delivered 
exactly  once.  This  specification  does  not  include  stronger  guarantees  such  as  reliable  delivery 
of  messages  sent  before  a  crash,  or  FIFO  delivery  of  those  messages  that  are  delivered.  While 
such  properties  are  desirable  for  users  of  a  reliable  communication  service,  they  are  not  necessary 
for  proving  our  impossibility  result.  The  impossibility  result  we  give  for  the  weak  specification 
immediately  implies  corresponding  impossibility  results  for  specifications  with  stronger  guarantees. 

Since  the  reliable  layer  uses  the  lower  unreliable  layer  without  knowledge  of  the  details  of  the 
lower  layer’s  implementation,  a  correct  protocol  is  required  to  work  correctly  with  every  implemen¬ 
tation  of  the  unreliable  layer.  Thus,  to  make  the  impossibility  result  as  strong  as  possible,  one 
should  make  the  description  of  the  lower  layer  as  strong  as  possible;  this  places  fewer  requirements 
on  the  protocol,  since  it  is  then  required  to  work  with  fewer  implementations  of  the  unreliable 
layer,  i.e.,  those  having  strong  constraints.  We  use  a  strong  specification  for  unreliable  data  com¬ 
munication,  which  allows  messages  to  be  lost,  but  does  guarantee  at-most-once  FIFO  delivery.  The 
impossibility  result  we  state  in  terms  of  an  unreliable  layer  with  these  strong  guarantees  applies  a 
fortiori  to  situations  where  the  reliable  layer  must  cope  with  a  larger  range  of  faults  in  the  unreliable 
layer. 

‘Since  the  value  of  this  bit  is  not  used  during  normal  operation,  there  is  little  practical  disadvantage  in  keeping  it 
on  disk. 
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As  an  example  of  the  application  of  the  impossibility  result,  the  ISO  transport  protocol  dass 
4  and  Internet  TCP  protocols  provide  ordered  reliable  end-to-end  service  using  a  network  service 
that  may  lose  or  reorder  data.  Since  the  requirements  for  reliable  message  delivery  are  stronger 
than  those  in  our  result  and  the  assumptions  about  the  unreliable  layer  are  weaker  than  those  in 
our  result,  our  impossibility  result  applies  to  this  situation.  It  implies  that  for  these  protocols  to 
guarantee  to  correctly  initialize  a  connection  after  a  crash,  there  must  be  some  information  that 
survives  the  crash. 

In  practice,  there  are  several  ways  in  which  systems  cope  with  the  limitation  expressed  by 
the  impossibility  result.  First,  some  existing  protocols  (such  as  HDLC  at  the  data  link  layer) 
simply  behave  incorrectly  in  some  cases.  The  “reliable”  layer  may  lose  a  message  in  the  face  of 
certain  (unlikely)  combinations  of  requests,  crashes,  and  message  delays.  This  is  often  accepted 
by  system  designers  on  the  basis  that  the  errors  only  happen  infrequently,  and  even  when  they 
occur,  higher  layers  of  the  system  may  be  able  to  recover  from  the  problem.  Second,  some  systems 
keep  data  that  is  not  volatile,  and  so  will  survive  a  crash  of  a  machine  on  which  the  protocol  is 
running.  For  transport  protocols,  a  hardware  clock  is  sometimes  used.  This  provides  information 
about  the  current  time,  and  therefore  does  not  return  to  the  initial  state  when  a  crash  occurs. 
Another  strategy  involves  keeping  a  counter  known  as  an  incarnation  number  in  non-volatile  disk 
storage,  and  incrementing  it  after  each  crash.  Transport  layer  control  messages  are  tagged  with  the 
incarnation  number,  which  enables  the  protocol  to  recognize  old  connection  request.-:.  Third,  some 
systems  require  still  stronger  assumptions  about  the  unreliable  layer  than  we  use.  For  instance, 
some  existing  transport  protocols  insist  that  the  network  layer  enforce  a  known  maximum  time 
within  which  each  message  must  be  delivered  or  destroyed.  When  the  network  layer  is  restricted  in 
this  way,  correct  transport  initialization  protocols  can  be  obtained,  but  at  the  cost  of  introducing 
dependencies  between  the  settings  of  time  parameters  in  different  layers.  Several  of  these  techniques 
are  described  in  more  detail  in  [7]. 

There  are  several  other  impossibility  results  in  the  literature  for  communication  problems.  A 
sketch  of  a  proof  that  no  protocol  can  reliably  provide  either  delivery  or  notification  of  nondelivery 
for  all  messages,  including  those  sent  before  a  crash,  is  given  in  [5].  In  [8]  is  a  proof  that  correct 
connection  establishment  is  impossible  when  the  protocol  has  a  particular  form:  a  single  resynchro¬ 
nizing  message  is  sent  and  acknowledged  if  no  data  message  is  successfully  delivered  within  a  fixed 
timeout  period,  and  each  data  message  is  retransmitted  after  a  (possibly  different)  timeout,  until 
it  is  acknowledged.  The  paper  [2]  contains  a  number  of  impossibility  results  for  synchronous  pro¬ 
tocols,  specifically,  lower  bounds  for  the  number  of  states  required  to  solve  various  communication 
problems.  The  paper  [1]  contains  an  impossibility  proof  for  reliable  transmission  using  a  number 
of  messages  that  is  bounded  in  the  best  case,  regardless  of  past  faults,  when  the  messages  have 
bounded  headers  and  the  unreliable  layer  can  reorder  data  messages.  Related  impossibility  results 
concerning  the  use  of  bounded  headers  with  non-FIFO  unreliable  layers  are  found  in  [18,  13, 17]. 

The  rest  of  the  paper  is  organized  as  follows.  Section  2  contains  a  summary  of  the  relevant 
definitions  from  the  input/output  automaton  model.  Section  3  contains  a  specification  of  a  reliable 
layer,  which  represents  the  reliable  communication  task  to  be  performed.  Section  4  contains  a 
specification  of  the  unreliable  layer,  which  the  protocol  is  assumed  to  have  available  for  its  use. 
Section  5  defines  what  it  means  for  a  protocol  to  be  correct  according  to  the  given  specifications. 
Finally,  Section  6  contains  the  impossibility  result. 
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2  The  I/O  Automaton  Model 

The  input/output  automaton  model  was  defined  in  [11]  as  a  tool  for  modeling  concurrent  and 
distributed  systems.  We  refer  the  reader  to  [11]  and  to  the  expository  paper  [12]  for  a  complete 
development  of  the  model,  plus  motivation  and  examples.  Here,  we  provide  a  brief  summary  of 
those  aspects  of  the  model  that  are  needed  for  our  results. 

2.1  Actions  and  Action  Signatures 

Fundamental  to  the  model  is  the  identification  of  the  actions  possible  between  an  entity  and  r  * 
environment,  and  the  separation  of  those  actions  into  types  depending  on  where  the  occurrence  is 
controlled.  An  entity  has  inputs  which  axe  under  the  control  of  the  environment,  outputs  which 
are  under  the  control  of  the  entity  and  detectable  by  the  environment,  and  internal  actions  which 
are  controlled  by  the  entity  but  not  detectable  by  the  environment. 

Formally,  an  action  signature  S  is  an  ordered  triple  consisting  of  three  pairwise-disjoint  sets  of 
actions.  We  write  in(S),  out(S)  and  int(S)  for  the  three  components  of  S,  and  refer  to  the  actions 
in  the  three  sets  as  the  input  actions,  output  actions  and  internal  actions  of  S,  respectively.  We 
let  ext(S)  =  in(S )  U  out(S )  and  refer  to  the  actions  in  ext(S)  as  the  external  actions  of  S.  We  let 
acts(S)  =  in(S)  U  out(S)  U  int(S),  and  refer  to  the  actions  in  acts(S)  as  the  actions  of  S. 

2.2  Input/Output  Automata 

In  the  I/O  automaton  model,  a  computational  entity  (either  a  whole  system,  or  a  process  or  node 
within  a  system)  is  modeled  by  a  state  machine.  Formally,  an  input/output  automaton  A  (also 
called  an  I/O  automaton  or  simply  an  automaton )  consists  of  five  components: 

1.  an  action  signature  sig(A), 

2.  a  set  states(A)  of  states, 

.  3.  a  nonempty  set  start(A)  C  states(A)  of  start  states, 

4.  a  transition  relation  steps(A)  C  (states(A)  x  acts(sig(A))  x  states(A)),  with  the  property 
that  for  every  state  s'  and  input  action  tt  there  is  a  transition  (s',n,s)  in  steps(A),  and 

5.  an  equivalence  relation  part(A)  on  out(sig(A))U int(sig(A)),  having  at  most  countably  many 
equivalence  classes. 

For  brevity,  we  write  in(A)  lor  in(sig_(A)),  out(A)  for  out(sig(A)),  and  so  on. 

We  refer  to  an  element  (s',tt,$)  of  steps(A)  as  a  step  of  A.  If  (s',x,s)  is  a  step  of  A,  then  -  is 
said  to  be  enabled  in  s'.  Since  every  input  action  is  enabled  in  every  state,  automata  are  said  to 
be  input  enabled.  The  partition  part(A)  is  an  abstract  description  of  the  underlying  components 
of  the  automaton,  and  is  used  to  define  fairness. 

An  execution  fragment  of  Ads  a  finite  sequence  s0-iSi7r2 . .  .7rns„  or  an  infinite  sequence 
•s07ri'Si7r2. ..7rns„  ...  of  alternating  states  and  actions  of  A  such  that  (Si,7r<+i,s,-+i)  is  a  step  of  A 
for  every  i.  An  execution  fragment  beginning  with  a  start  state  is  called  an  execution. 

A  fair  execution  of  an  aut'maton  A  is  defined  to  be  an  execution  a  of  A  such  that  the  following 
condition  holds  for  each  class  C  of  part(A):  if  a  is  finite,  then  no  action  of  C  is  enabled  in  the 
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final  rtate  of  a,  while  if  a  is  infinite,  then  either  a  contains  infinitely  many  events  from  C,  or  else 
a  contains  infinitely  many  occurrences  of  states  in  which  no  action  of  C  is  enabled.  Thus,  a  fair 
execution  gives  “fair  turns”  to  each  class  of  part(A).  Informally,  one  class  of  part(A)  typically 
consists  of  all  the  actions  that  are  controlled  by  a  single  subsystem  within  the  system  modeled 
by  the  automaton  A,  and  so  fairness  means  giving  each  such  subsystem  regular  opportunities  to 
take  a  step  under  its  control,  if  any  is  enabled.  In  the  common  case  that  there  is  no  lower  level  of 
structure  to  the  system  modeled  by  A  (when  part(A)  consists  of  a  single  class),  a  fair  execution 
is  an  execution  in  which  infinitely  often  the  automaton  is  given  an  opportunity  to  take  an  action 
under  its  control  if  any  is  enabled. 

The  behavior  of  an  execution  fragment  a  of  A  is  the  subsequence  of  a  consisting  of  external 
actions,  and  is  denoted  by  beh(a).  That  is,  beh(a)  is  formed  by  removing  from  the  sequence  a  all 
states  and  also  those  actions  in  int(A).  We  say  that  /?  is  a  behavior  of  A  if  P  is  the  behavior  of 
an  execution  of  A.  We  say  that  /?  is  a  fair  behavior  of  A  if  /?  is  the  behavior  of  a  fair  execution 
of  A.  When  an  algorithm  is  modeled  as  an  I/O  automaton,  it  is  the  set  of  fair  behaviors  of  the 
automaton  that  reflect  the  activity  of  the  algorithm  that  is  important  to  users. 

We  saj  that  a  finite  behavior  /?  of  A  can  leave  A  in  state  s  if  there  is  a  finite  execution  a  with 
P  as  its  behavior,  such  that  the  final  state  in  or  is  s. 

A  fundamental  operation  that  we  sometimes  apply  to  sequence  ft  of  actions  (or  other  elements), 
such  as  a  behavior,  is  to  take  the  subsequence  consisting  of  those  actions  that  are  in  a  set  $  of 
actions.  We  call  this  the  projection  of  /?  on  and  denote  it  by  /?|$.  For  brevity,  we  write  (3\ A  for 
P\acts(A). 

2.3  Composition 

The  most  useful  way  of  combining  I/O  automata  is  by  means  of  a  composition  operator,  as  defined 
in  this  subsection.  This  models  the  way  algorithms  interact,  as  for  example  when  the  pieces  of  a 
communication  protocol  at  different  nodes  and  a  lower-level  protocol  all  work  together  to  provide 
a  higher-level  service. 

A  collection  {A,},e/  of  automata  is  said  to  be  strongly  compatible  if  no  action  is  an  output  of 
more  than  one  automaton  in  the  collection,  any  internal  action  of  any  automaton  does  not  appear 
in  the  signature  of  another  automaton  in  the  collection,  and  no  action  occurs  in  the  signatures  of 
an  infinite  number  of  automata  in  the  collection.  Formally,  we  require  that  for  all  i,j  G  I,  i  ^  j, 
we  have 

1.  out(A,)  n  OUt(Aj)  =  0, 

2.  int(Ai)  n  acts(Aj)  =  0,  and 

3.  no  action  is  in  acts(Ai)  for  infinitely  many  i. 

The  composition  A  =  n,e/Aj  of  a  strongly  compatible  collection  of  automata  AiieI  has  the 
following  components: 

1.  in(A)  =  U,e/in(A{)  \  U,e/out(/l,),  out(A)  =  U;e/out(j4,),  and  int(A)  =  U,-e/int(yl,-), 

2.  states(A)  =  II;e/siafes(.4;) 

3.  start(A)  =  Jli^istart(Ai) 
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4.  steps(A)  is  the  set  of  triples  (3i,7r,S2)  such  that  for  all  i  €  J,  if  7r  G  acts(j4,)  then  (si[t],7r,s2[*])  <= 
steps(Ai),  and  if  i r  £  acts(Ai )  then  si[t]  =  s2[t]2,  and 

5.  part(A)  =  UieJpqrt(A{). 

Since  the  automata  A,  are  input-enabled,  so  is  their  composition,  and  hence  their  composition  is 
an  automaton.  Each  step  of  the  composition  automaton  consists  of  all  the  automata  that  have 
a  particular  action  in  their  signatures  performing  that  action  concurrently,  while  the  automata 
that  do  not  have  that  action  in  their  signatures  do  nothing.  The  partition  for  the  composition  is 
formed  by  taking  the  union  of  the  partitions  for  the  components.  Thus,  a  fair  execution  of  the 
composition  gives  fair  turns  to  all  of  the  classes  within  all  of  the  component  automata.  In  other 
words,  all  component  automata  in  a  composition  continue  to  act  autonomously.  If  a  =  .somSi...  is 
an  execution  of  A,  let  a\Ai  be  the  sequence  obtained  by  deleting  HjSj  when  is  not  an  action  of 
A{,  and  replacing  the  remaining  Sj  by  Sj[t]. 

The  following  basic  results  relate  executions  and  behaviors  of  a  composition  to  those  of  the 
automata  being  composed.  The  first  result  says  that  the  projections  of  executions  of  a  composition 
onto  the  components  are  executions  of  the  components,  and  similarly  for  behaviors,  etc.  The  parts 
of  this  result  dealing  with  fairness  depend  on  the  fact  that  at  most  one  component  automaton  can 
impose  preconditions  on  each  action. 

Lemma  2.1  Let  {yl.j.-g/  be  a  strongly  compatible  collection  of  automata,  and  let  A  =  II.-g/A*  If  a 
is  an  execution  of  A,  then  a\Ai  is  an  execution  of  A{  for  all  i  €  I.  Moreover,  the  same  result  holds 
for  fair  executions,  behaviors  and  fair  behaviors  in  place  of  executions. 

Certain  converses  of  the  preceding  lemma  are  also  true.  Behaviors  of  component  automata  can 
be  patched  together  to  form  schedules  or  behaviors  of  the  composition. 

Lemma  2.2  Let  {.4,}i€/  be  a  strongly  compatible  collection  of  automata,  and  let  A  =  IT.-g/y},-.  Let 
P  be  a  sequence  of  actions  in  acts(A).  If  P\Ai  is  a  fair  behavior  of  A{  for  all  i  £  I,  then  P  is  a  fair 
behavior  of  A.  Also,  if  P\A{  is  a  behavior  of  A,  that  can  leave  Ai  in  state  s,-,  for  all  i  €  J,  then  p 
is  a  behavior  of  A  that  can  leave  A  in  a  stale  s  where  s[t]  =  s,-  for  all  i  £  I. 

2.4  Hiding  Output  Actions 

We  now  define  an  operator  that  hides  a  designated  set  of  output  actions  in  a  given  automaton  to 
produce  a  new  automaton  in  which  the  given  actions  are  internal.  Namely,  suppose  A  is  an  I/O  au¬ 
tomaton  and  $  C  out{A)  is  any  subset  of  the  output  actions  of  A.  Then  we  define  a  new  automaton, 
hide^(A),  to  be  exactly  the  same  as  A  except  for  its  signature  component.  For  the  signature  compo¬ 
nent,  we  have  in(hide$(A ))  =  in(A),  out(hide$(A))  =  out(A)\$,  and  int(hidc${A))  =  int(A) U$. 

2.5  Specifications 

To  specify  an  entity,  we  give  a  set  of  acceptable  patterns  of  interaction  between  the  entity  and  its 
environment.  Formally,3  a  specification  T  consists  of  two  components: 

2Wc  use  the  notation  s[i]  to  denote  the  i-th  component  of  the  state  vector  s 
3This  is  a  special  case  of  a  schedule  module  as  defined  in  [llj. 


1.  an  action  signature  sig(T)  having  no  internal  actions,  and 

2.  a  set  behs(T )  of  sequences  (finite  or  infinite)  of  elements  of  acts(sig(l')),  called  the  behaviors 
of  T. 

For  brevity  we  write  in(T)  for  in(sig(T ))  and  so  on.  We  also  write  P\T  for  P\acts(T). 

2.6  An  Automaton  Satisfying  a  Specification 

To  express  the  fact  that  an  entity  modeled  by  an  automaton  A  is  satisfactory  for  a  task  modeled  by 
a  specification  T,  we  use  the  following  definition:  we  say  that  A  satisfies  T  provided  in(A)  =  in(T), 
out(A)  =  out(T)  and  also  every  fair  behavior  of  A  is  an  element  of  behs(T). 

3  The  Reliable  Layer 

In  this  section,  we  give  a  specification  for  the  weak  type  of  reliable  layer  that  we  wish  to  implement. 

We  assume  that  the  reliable  layer  interacts  with  higher  layers  at  two  endpoints,  a  transmitting 
station  and  a  receiving  station.  The  reliable  layer  accepts  messages  from  the  higher  layer  at  the 
transmitting  station,  and  delivers  some  of  them  to  the  higher  layer  at  the  receiving  station.  In  this 
paper,  we  consider  the  situation  in  which  nodes  may  crash,  losing  the  information  in  their  state. 
Therefore,  the  specification  includes  events  that  model  these  crashes,  and  the  reliability  provided 
is  only  conditional  on  no  later  crash  occurring.  That  is,  the  reliable  layer  guarantees  that  every 
message  that  is  sent  is  eventually  received,  assuming  that  the  end  stations  remain  active.  We  do 
not  insist  that  the  order  of  the  messages  be  preserved,  as  discussed  in  Section  1. 

We  describe  the  reliable  layer  formally  as  a  specification  RL.  Let  M  be  a  fixed  alphabet  of 
“messages”.  The  action  signature  sig(RL)  is  illustrated  in  Figure  1,  and  is  given  formally  as  follows. 

Input  actions: 

send(m),  m  G  M 
crash 1 
crashr 

Output  actions: 

rcu(m),  m  6  M 


The  send(rn)  action  represents  the  sending  of  message  m  on  the  reliable  layer  by  the  transmitting 
station,  and  the  rcv(m)  represents  the  receipt  of  message  m  by  the  receiving  station.  The  crash ‘ 
and  crash'  actions  represent  notification  that  the  transmitting  or  receiving  station,  respectively, 
has  suffered  a  hardware  crash  failure.  In  the  distributed  implementations  of  the  reliable  layer  to  be 
considered  later  in  the  paper,  hese  events  will  trigger  the  return  to  initial  state  in  the  appropriate 
automaton.  We  refer  to  the  actions  in  acts(RL)  as  reliable  layer  actions. 

In  order  to  define  the  set  behs(RL),  we  define  a  collection  of  auxiliary  properties.  These 
properties  are  defined  with  respect  to  P  —  «i«2 . ..,  a  (finite  or  infinite)  sequence  of  reliable  layer 
actions,  and  a  total  function  cause  from  the  indices  in  p  of  rev  events  to  the  indices  of  send  events. 
This  function  is  intended  to  model  the  association  that  can  be  set  up  between  the  event  modeling 
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Figure  1:  The  Reliable  Layer 

the  receipt  of  a  packet  and  the  event  modeling  the  sending  of  the  same  packet.  This  function  is 
needed  to  deal  carefully  with  the  fact  that  the  same  data  might  be  sent  repeatedly,  and  in  that 
case  the  sequence  will  contain  multiple  occurrences  of  the  same  action. 

The  first  property  expresses  the  idea  that  an  effect  (i.e.,  a  rev  event)  must  occur  after  its  cause 
(i.e.,  a  corresponding  send  event). 

(RL1)  If  =  rcv(m),  i rj  =  send(n),  and  cause(i)  =  j  then  j  <  i.  (That  is,  the  event  precedes 

~i  in  /?.) 

The  next  property  indicates  that  messages  are  not  corrupted. 

(RL2)  If  7 rf  =  rcv(m),  n j  =  send(n),  and  cau$e(i)  —  j  then  m~n. 

The  next  property  indicates  that  messages  are  not  duplicated. 

(RL3)  The  function  cause  is  one-to-one.  (That  is,  cause(ii)  ^  cause(i2 )  for  ^  i2.) 

So  far,  the  properties  listed  have  been  safety  properties,  that  is,  when  they  hold  for  a  sequence 
they  also  hold  for  any  prefix  of  that  sequence.  The  final  property  is  a  liveness  property  asserting 
when  messages  are  required  to  be  delivered  by  the  reliable  layer.  It  says  that  all  messages  that  are 
sent  are  eventually  delivered,  provided  no  later  crashes  occur.  We  use  the  following  terminology: 
a  crash  interval  is  a  maximal  contiguous  subsequence  of  P  not  containing  any  crash ‘  or  crash' 
events;  thus,  the  crash  intervals  of  P  are  the  sequences  of  events  between  successive  crash  events, 
together  with  the  sequence  of  events  before  the  first  crash  and  the  sequence  of  events  after  the  last 
crash.  We  say  that  a  crash  interval  of  p  is  unbounded  if  it  is  not  followed  in  p  by  a  crash  event, 

(RL4)  If  ~i  is  a  send{m)  event  occurring  in  an  unbounded  crash  interval  in  p,  then  there  is  an 
index  j  of  an  rev  event  in  P  such  that  cause(  j)  =  i. 

We  say  that  a  sequence  p  of  reliable  layer  actions  is  RL-con$islent  provided  there  exists  a 
function  cause  such  that  all  the  conditions  (RL1)-(RL4)  are  satisfied.  We  extend  the  use  of  the 
term,  and  say  that  any  sequence  (possibly  including  actions  other  than  reliable  layer  actions,  and 
possibly  including  states)  is  TELconsistent  provided  that  the  subsequence  consisting  of  reliable  layer 
actions  is. 

Now  we  can  define  the  specification  RL.  We  have  already  defined  sig(RL).  Let  behs(RL)  be 
the  set  of  sequences  p  of  reliable  layer  actions  that  are  TEL-consistent. 
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Figure  2:  The  Unreliable  Layer 
4  The  Unreliable  Layer 

In  this  section,  we  define  the  strong  type  of  unreliable  layer  that  we  assume  is  available  for  our 
protocols  to  use. 

We  again  assume  that  there  are  two  endpoints,  a  transmitting  station  and  a  receiving  station. 
The  unreliable  layer  accepts  messages,  which  we  call  packets  in  order  to  distinguish  them  from 
the  messages  of  the  reliable  layer,  from  the  higher  layer  at  the  transmitting  station,  and  delivers 
some  of  them  at  the  receiving  station.  We  do  not  consider  corruption,  duplication  or  reordering  of 
packets;  the  only  faulty  behavior  we  consider  is  loss  of  packets. 

4.1  Definitions 

We  describe  the  unreliable  layer  formally  as  a  specification.  Since  construction  of  a  reliable  layer 
will  generally  need  two  unreliable  channels,  carrying  packets  in  opposite  directions,  we  parameterize 
the  specification  by  an  ordered  pair  (u,v)  of  names  for  the  transmitting  and  receiving  stations, 
respectively.  The  specification  is  denoted  by  ULU,V.  Let  P  be  a  fixed  alphabet  of  “packets”.  The 
action  signature  sig(ULa,v)  is  illustrated  in  Figure  2  and  given  formally  as  follows. 

Input  actions: 

sendpv'v(p),  p  €  P 
Output  actions: 

rcup“*c(p),  p  €  P 


The  sendpu‘v(p )  action  represents  the  sending  of  packet  p  on  the  unreliable  layer  by  the  trans¬ 
mitting  station,  and  the  rcvp”-v(p)  represents  the  receipt  of  packet  p  by  the  receiving  station.  We 
refer  to  the  actions  in  acts{ULu,v )  as  unreliable  layer  actions  (for  («.«)). 

In  order  to  define  the  set  of  behaviors  for  the  specification  ULU,V,  we  again  define  a  collection 
of  auxiliary  properties.  The  properties  are  defined  with  respect  to  a  sequence  0  =  si-i ...  of 
unreliable  layer  actions,  and  a  function  cause  from  the  indices  in  0  of  the  rcvp“-v  events  to  the 
indices  of  sendpu  v  events.  The  first  three  properties  are  analogous  to  those  for  the  unreliable  layer. 

(ULl)  If  =  rci?pv-B(p),  ~j  =  send03'v(q),  and  cause(i)  =  j  then  j  <  i.  (That  is,  the  event  sj- 
precedes  in  0.) 
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(TJL2)  If  7 r,-  =  rcvpu'v(p),  tt j  =  sendpu,v(q ),  and  cause(i)  =  j  then  p  =  q. 

(UL3)  The  function  cause  is  one-to-one.  (That  is,  cause(i\ )  ^  cause(i 2)  for  4  ^  i2.) 

The  next  property  is  the  FIFO  property.  It  says  that  those  packets  that  are  delivered  have 
their  rcvp  events  occurring  in  the  same  order  as  their  sendp  events.  Note  that  (UL4)  may  be  true 
even  if  a  packet  is  delivered  and  some  packet  sent  earlier  is  not  delivered;  there  can  be  gaps. in  the 
sequence  of  delivered  packets  representing  lost  packets. 

(UL4)  (FIFO)  Suppose  that  cause(i )  =  j  and  cause(k )  =  l.  Then  i  <  k  if  and  only  if  j  <  l. 

The  remaining  property  is  the  liveness  property  for  the  unreliable  layer.  It  says  that  if  repeated 
send  events  occur  for  a  particular  packet  value,  then  eventually  some  copy  is  delivered. 

(UL5)  For  any  p,  if  infinitely  many  sendpu'v(p )  actions  occur  in  /?,  then  infinitely  many  rcvpu'v(y) 
actions  occur  in  (3. 

We  say  that  a  sequence  (3  of  unreliable  layer  actions  is  U  Lu,v -consistent  provided  there  exists  a 
function  cause  such  that  all  the  conditions  (UL1)-(.UL5)  are  satisfied.  As  before,  we  extend  the  use 
of  the  term,  and  say  that  any  sequence  is  ULU,V- consistent  provided  that  the  subsequence  consisting 
of  unreliable  layer  actions  is.  We  have  the  following  simple  consequences  of  the  definitions. 

Lemma  4.1  1.  Suppose  (3  and  7  are  U Lu,v  -consistent.  Then  ^7  is  U  Lu,v -consistent. 

2.  Suppose  (3  is  U Lu,v -consistent  and  (3'  is  a  prefix  of  (3.  Then  (3'  is  U Lu,v -consistent. 

Now  we  define  the  specification  ULU,V.  We  have  already  defined  sig(ULu,v).  Let  behs(U Lu,v) 
be  the  set  of  sequences  (3  of  unreliable  layer  actions  that  are  ULU,V- consistent. 

We  define  an  unreliable  channel  from  u  to  v  to  be  any  I/O  automaton  that  satisfies  ULU'V . 
Thus,  C  is  an  unreliable  channel  if  it  has  the  external  actions  appropriate  for  the  specification,  and 
also  every  fair  behavior  satisfies  the  conditions  above  (for  some  choice  of  the  function  cause).  An 
unreliable  channel  with  the  largest  set  of  fair  behaviors  is  called  “universal”;  formally,  a  universal 
unreliable  channel  is  an  unreliable  channel  whose  set  of  fair  behaviors  is  exactly  the  set  of  ULU,V- 
consistent  sequences. 

4.2  Properties  of  the  Unreliable  Layer 

In  this  subsection,  we  give  some  basic  properties  of  the  unreliable  layer  and  of  unreliable  channels. 

We  first  define  the  idea  of  a  sequence  of  packets  being  “in  transit”  after  a  behavior  of  the 
unreliable  layer.  If  (3  =  7Ti7r2 ...  is  a  finite  C/Xu,t'-consistent  sequence,  we  say  that  a  sequence  of 
packets  Q  =  q\q2...qk  is  in  transit  after  (3  provided  there  is  a  function  cause  such  that  proper¬ 
ties  (UL1)-(UL5)  hold  for  (3  and  cause ,  and  also  there  are  indices  ii,t2,...4  with  the  following 
properties: 

•  4  <  *2  <  •  ••  <  4» 

•  7 T{j  =  sendpu’v(qj)  for  each  j,  1  <  j  <  k,  and 


11 


•  for  any  index  j  of  a  rcvpu,v  event  in  /?,  cause(j)  <  ik. 

That  is,  a  sequence  of  packets  is  in  transit  after  P  if  it  is  a  subsequence  of  the  collection  of  packets 
sent  after  the  sending  of  the  last  packet  that  is  successfully  delivered.  Notice,  as  a  consequence  of 
this  definition,  that  if  a  sequence  Q  is  in  transit  after  (3,  then  so  is  any  subsequence  of  Q. 

Lemma  4.2  If  (3  is  a  finite  U Lu,v -consistent  sequence  of  unreliable  layer  actions,  Q  is  a  sequence 
of  packets  that  is  in  transit  after  (3,  and  Q'  is  a  subsequence  of  Q,  then  Q'  is  in  transit  after  (3. 

Another  immediate  consequence  of  the  definition  is  the  following  lemma,  which  says  that  as 
further  packets  are  sent,  they  can  be  added  to  the  sequence  in  transit. 

Lemma  4.3  If  (3  is  a  finite  U  Lu>v  -consistent  sequence  of  unreliable  layer  actions,  qvq2  ...qk  is  in 
transit  after  (3,  and  q[  q'2.  ••  qj  is  a  finite  sequence  of  packets,  then  the  sequence 

(3'  =  f3sendpu,v  (q[)sendpu,v  (q'2) . . .  sendpu,v(q',) 

i 

is  a  U  Lu,v -consistent  sequence  and  the  sequence  of  packets  qxq2  . . .  qkq[  ■••q'i  is  in  transit  after  (3' . 

The  following  lemma  says  that,  any  sequence  of  packets  in  transit  can  be  delivered  without 
violating  the  specification  of  an  unreliable  layer. 

Lemma  4.4  If  [3  is  a  finite  U  Lu,v -consistent  sequence  of  unreliable  layer  actions,  and  Q  =  qkq2  . . .  qk 
is  a  sequence  of  packets  that  is  in  transit  after  f3,  then  fircvp'>'v{ql) . . .  rcvpu-v(qk)  is  a  ULU>V- 
consistent  sequence. 

Recall  that  a  universal  unreliable  channel  is  an  unreliable  channel  whose  fair  behaviors  are 
all  the  sequences  allowed  by  the  specification  ULU,V,  rather  than  merely  a  subset  of  these.  For 
our  later  work,  it  will  be  important  to  know  that  a  universal  unreliable  channel  exists.  We  give 
the  construction  here,  and  leave  it  to  the  reader  to  check  that  this  automaton  has  the  required 
behaviors.  Note  that  no  property  of  the  automaton  is  used  in  this  paper  other  than  the  fact  that 
it  is  universal. 

The  I/O  automaton  Cu,v  has  the  inputs  and  outputs  of  ULU,V ,  and  no  internal  actions.  The 
state  of  Cu,v  consists  of  a  sequence  queue  of  packets,  an  array  count  of  integers  indexed  by  packet 
values,  and  a  array  keep  of  infinite  sets  of  positive  integers  indexed  by  packet  values.  The  initial 
states  of  the  automaton  are  those  states  in  which  q  is  empty  and  each  entry  count[p)  is  zero.  Thus 
each  initial  state  is  determined  by  a  value  for  the  array  keep. 

The  transition  relation  for  the  automaton  Cu,v  consists  of  all  triples  ( )  described  by  the 
following  code.4 

sendpu>v(p ) 

Effect:  count\p]  <—  count{p ]  +  1 

if  count[p]  €  keep\p ]  then  append  p  to  queue 


4This  style  of  describing  I/O  automata  by  giving  preconditions  (that  is,  conditions  on  s')  and  effects  (that  is, 
imperatives  to  be  executed  sequentially  to  transform  s'  to  give  s)  is  used  in  [12].  It  is  not  fundamental  to  the  model, 
but  is  rather  a  notational  convenience  for  describing  sets  of  triples. 
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rcvpu,v(p ) 

Precondition:  p  is  at  head  of  queue 
Effect:  delete  p  from  front  of  queue 


The  partition  puts  all  the  output  actions  of  Cu,v  in  a  single  class. 

Thus,  i  €  keep\p)  means  that  the  i-th  time  packet  value  p  is  sent,  it  will  succeed  in  being 
delivered.  The  fact  that  each  keep\p\  is  infinite  ensures  that  (UL5)  is  satisfied  by  fair  behaviors  of 
Cu'\ 

Lemma  4.5  The  automaton  Cu,v  is  a  universal  unreliable  channel. 

5  Reliable  Layer  Implementation 

In  this  section,  we  define  a  “reliable  communication  protocol”,  which  is  intended  to  be  used  lo 
implement  the  reliable  layer  using  the  services  provided  by  the  unreliable  layer.  A  reliable  commu¬ 
nication  protocol  consists  of  two  automata,  one  at  the  transmitting  station  and  one  at  the  receiving 
station.  These  automata  communicate  with  each  other  using  two  unreliable  channels,  one  in  each 
direction.  They  also  communicate  with  the  outside  world,  through  the  reliable  layer  actions  we 
defined  in  Section  3. 

Figure  3  shows  how  two  protocol  automata  and  two  unreliable  channels  should  be  connected, 
in  a  reliable  layer  implementation. 

5.1  Reliable  Communication  Protocols 

We  define  a  reliable  communication  protocol  syntactically,  as  two  automata  that  have  the  correct 
action  names  to  be  used  in  a  system  connected  as  in  Figure  3. 

A  transmitting  automaton  is  any  I/O  automaton  having  an  action  signature  as  follows: 

Input  actions: 

send(m),  m  6  M 
rcvpr,t(p)>  p  €  P 
crash* 

Output  actions: 

sendp*’r(p),  p  €  P 


In  addition,  there  can  be  any  number  of  internal  actions.  That  is,  a  transmitting  automaton  receives 
requests  from  the  environment  of  the  reliable  layer  to  send  messages  to  the  receiving  station.  It 
also  receives  packets  over  the  unreliable  channel  from  the  receiving  station  r,  and  notification  of 
crashes  at  the  transmitting  station.  It  sends  packets  over  the  unreliable  channel  to  r. 

Similarly,  a  receiving  automaton  is  any  I/O  automaton  having  an  action  signature  as  follows: 

Iqput  actions: 

rcvpt>r(p),  p  e  P 
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crash 1 


Figure  3:  A  Reliable  Layer  Implementation 


crash r 

Output  actions: 

sendpr>t(p ),  p  €  P 
rcv(m),  m  €  M 


Again,  there  can  also  be  any  number  of  internal  actions.  That  is,  a  receiving  automaton  receives 
packets  over  the  unreliable  channel  from  the  transmitting  station  t,  and  notification  of  crashes  at 
the  receiving  station.  It  sends  packets  to  t  over  the  unreliable  channel  to  t,  and  it  delivers  messages 
to  the  environment  of  the  reliable  layer. 

A  reliable  communication  protocol  is  a  pair  (A\  Ar),  where  A *  is  a  transmitting  automaton  and 
Ar  is  a  receiving  automaton. 

We  close  this  subsection  with  a  lemma  describing  a  useful  property  of  reliable  communication 
protocols  interacting  with  an  unreliable  layer.  It  says  that  from  any  point  in  an  execution,  the 
system  can  continue  to  run  in  some  way,  with  no  further  crashes  nor  requests  for  message  transfer, 
so  that  no  packets  sent  before  that  point  are  delivered  after  it. 

Recall  that  for  any  specification  T  and  sequence  (3  we  write  f3\T  for  the  subsequence  of  (3 
consisting  of  actions  of  T.  For  brevity,  we  say  that  (3  is  UL- consistent  provided  (3\ULt'r  is  ULt,r- 
consistent  and  /3| Ulr,t  is  {/.//’‘-consistent. 

Lemma  5.1  Let  {A*,Ar)  be  a  reliable  communication  protocol.  Let  a  be  a  finite  U L-consistent 
execution  of  A  =  A‘  o  Ar .  Then  there  exists  a  fair  U L-consistent  execution  a(3  of  A  such  that 

1.  f3  contains  no  send  or  crash  events,  and 
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2.  0  is  U L-consistent. 

Proof:  (Sketch)  The  sequence  0  is  constructed  inductively,  interleaving  transitions  that  involve 
actions  from  each  equivalence  class  of  the  fairness  partition  of  A.  However,  whenever  a  sendp(p) 
event  i6  added  to  the  execution,  it  is  immediately  followed  by  a  corresponding  rcvp(p)  event.  This 
is  allowed  by  A  since  rcvp(p )  is  an  input  to  the  composition,  and  U ^-consistency  is  obviously 
maintained.  The  dovetail  ensures  that  the  execution  a/?  constructed  is  a  fair  execution  of  A. 
Since  every  sendp  event  is  followed  by  its  corresponding  rcvp  event,  it  follows  that  the  suffix  ,6 
UL- consistent.  □ 

5.2  Correctness  of  Reliable  Communication  Protocols 

Now  we  are  ready  to  define  correctness  of  reliable  communication  protocols.  Informally,  we  say  that 
a  reliable  communication  protocol  is  “correct”  provided  that  when  it  is  composed  with  any  pair  of 
unreliable  channels  (from  t  to  r  and  from  r  to  t,  respectively),  the  resulting  system  yields  correct 
reliable  layer  behavior.  This  reflects  the  fundamental  idea  of  layering,  that  the  implementation  of 
one  layer  should  not  depend  on  the  details  of  the  implementation  of  other  layers,  so  that  each  layer 
can  be  implemented  and  maintained  independently.  Formally,  we  say  that  a  reliable  communication 
protocol  (At,Ar)  is  correct  provided  that  the  following  is  true.  For  all  Ct,r  and  Cr,i  that  are 
unreliable  channels  from  t  to  r  and  from  r  to  t,  respectively,  hide$(D)  satisfies  RL,  where  D  is  the 
composition  of  A Ar,  Ct,r  and  Cr,t,  and  $  is  the  subset  of  acts(D)  consisting  of  sendp  and  rcvp 
actions.  We  need  to  hide  the  actions  between  the  protocol  and  the  unreliable  channels  in  order 
that  the  composition  should  have  the  signature  required  for  the  reliable  layer5. 

The  definition  of  correctness  just  given  is  somewhat  difficult  to  work  with,  because  it  involves 
universal  quantification  over  all  possible  unreliable  channels.  We  will  actually  work  with  an  alter¬ 
native  characterization,  using  only  behaviors  of  the  composition  of  A *  and  Ar. 

Theorem  5.2  Let  (A*,Ar)  be  a  reliable  communication  protocol.  Then  the  following  are  equivalent. 

1.  (A‘,/lr)  is  correct. 

2.  For  every  fair  behavior  (3  of  A  =  A*  o  Ar,  if  (3  is  U L-consistent  then  0  is  RL-consistent. 

Proof:  Let  $  be  the  set  of  all  sendp  and  rcvp  actions.  For  one  direction  of  implication,  assume 
that  (At,Ar)  is  correct.  Let  0  be  a  fair  behavior  of  A  that  is  {/L-consistent.  Let  Ct,r  and  Cr,t  be 
the  unreliable  channels  defined  in  Section  4;  Lemma  4.5  implies  that  these  are  universal  unreliable 
channels. 

Since  0  is  ULi'r -consistent,  and  Ct,r  is  a  universal  unreliable  channel,  it  must  be  that  0\ULt>r 
is  a  fair  behavior  of  Ct,r.  Likewise,  0\ULr't  is  a  fair  behavior  of  Cr>t.  Then  Lemma  2.2  gives  that 
0  is  a  fair  behavior  of  D  =  A  o  Ct>r  o  Cr-t.  Therefore,  0\RL  is  a  fair  behavior  of  hide*(D),  since 
the  actions  of  RL  are  exactly  the  external  actions  of  D  that  are  not  in  $.  Since  (Ai,Ar)  is  correct 
and  Ct,r  and  Cr,t  are  unreliable  channels  from  t  to  r  and  r  to  t  respectively,  any  fair  behavior  of 
hide^(D)  is  RL- consistent.  Thus,  0\ RL  is  ^-consistent,  which  implies  that  0  is  ilL-consistent, 
as  required. 

5 Recall  that  in  the  I/O  automaton  model,  actions  between  components  of  a  system  are  outputs  of  the  system  as 
a  whole. 
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Conversely,  suppose  that  every  for  every  fair  behavior  0  of  A,  if  0  is  I7Z-consistent,  then  0 
is  RL- consistent.  Let  Ci,r  and  Cr,t  be  arbitrary  unreliable  channels  from  t  to  r  and  from  r  to  t, 
respectively,  and  let  D  =  A  o  Ct,r  o  Cr,t,  We  must  show  that  hide^(D)  satisfies  RL. 

Let  0'  be  an  arbitrary  fair  behavior  of  hide$(D).  Then  there  is  a  fair  behavior  0  of  D  such 
that  0'  =  0\ RL.  By  Lemma  2.1,  0\Ct,r  is  a  fair  behavior  of  Ct,r ,  and  since  C*’r  is  an  unreliable 
channel,  0\Ci,r  is  J/Zi,r-consistent.  That  is,  0\ ULt,r  is  ULt,r- consistent.  Likewise,  0\ULr,t  is  ULr>t- 
consistent.  Thus,  0  is  f/Z-consistent.  By  hypothesis,  0  is  RL- consistent,  and  so  0'  is  EZ-consistent. 
Thus,  0'  e  behs(RL),  as  required.  H 

5.3  Crashing  Protocols 

In  this  subsection,  we  define  a  constraint  for  reliable  communication  protocols:  a  “crashing”  prop¬ 
erty,  which  says  that  a  crash  at  either  the  transmitting  or  receiving  station  causes  the  corresponding 
protocol  automaton  to  revert  back  to  its  start  state  (thereby  losing  all  information  in  its  memory). 
This  property  models  the  absence  of  non-volatile  storage. 

We  say  that  a  transmitting  automaton  A *  is  crashing  provided  that  there  is  a  unique  start  state 
<7o,  that  (q,  crash*,  q0)  is  a  step  of  A*,  for  every  q  £  states(A*),  and  that  these  are  the  only  crash* 
steps.  Similarly,  we  say  that  a  receiving  automaton  Ar  is  crashing  provided  that  there  is  a  unique 
start  state  q0,  that  (q,crashr  ,q0)  is  a  step  of  Ar,  for  every  q  €  states(Ar ),  and  that  these  are  the 
only  crashr  steps.  A  reliable  communication  protocol  (A‘,Ar)  is  said  to  be  crashing  provided  that 
A*  and  Ar  are  both  crashing. 


6  The  Impossibility  Proof 

A  useful  property  for  a  reliable  communication  protocol  would  be  the  ability  to  tolerate  crashes  of 
the  machines  on  which  it  runs.  We  consider  the  case  in  which  a  crash  causes  all  the  memory  at  the 
site  to  be  lost;  we  model  this  by  having  a  crash  cause  the  automaton  at  that  site  to  revert  to  its  initial 
state.  In  this  section,  we  present  our  impossibility  result,  that  no  correct  reliable  communication 
protocol  can  tolerate  arbitrary  crashes  (without  access  to  some  non- volatile  memory). 

The  main  idea  of  our  proof  is  to  assume  the  existence  of  a  reliable  comma  *iication  protocol 
that  is  both  correct  and  crashing,  and  to  find  two  finite  executions,  a  and  a,  that  leave  both  the 
transmitting  and  receiving  automata  in  the  same  states,  although  in  a  every  message  has  been 
delivered  and  in  a  there  is  an  undelivered  message.  The  protocol  must  eventually  deliver  the 
missing  message  in  any  fair  extension  of  a  in  which  no  more  crashes  occur,  even  if  no  further 
messages  are  submitted  by  the  environment.  Then  a  corresponding  extension  of  a  will  cause  some 
message  to  be  delivered,  although  every  message  sent  had  already  been  delivered.  This  contradicts 
the  claimed  correctness  of  the  protocol. 

In  our  proof,  a  contains  the  sending  and  delivery  of  a  single  message,  while  a  contains  many 
crash  events  and  ends  with  the  sending  of  a  message  that  is  not  deliveied.  The  construction  of  a 
from  a  is  given  in  Lemma  6.3,  using  the  following  observation:  it  is  possible  to  find  a  behavior  that 
can  leave  the  end  stations  in  the  same  states  that  they  have  after  step  k  of  the  execution  a,  but 
where  a  particular  sequence  of  packets  (which  are  received  by  one  station  in  the  first  k  steps  of  a) 
are  in  transit.  This  is  shown  carefully  in  Lemma  6.2  by  induction.  The  induction  step  (which  is 
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Lemma  6.1)  uses  the  fact  that  the  inputs,  up  to  step  k  of  a,  of  .i  given  station  depends  on  outputs 
of  the  other  station  up  to  step  k  —  1. 

We  now  begin  the  rigorous  proof,  following  the  sketch  above.  We  first-  establish  .some  notation. 
For  x  €  {t,r}  we  define  x  so  that  x  €  {t,r}  and  x  £  x,  that  is,  i  =  r  and  fi  =  t.  For  a  finite 
execution  a  =  s0niSi  ...7r„s„  of  A 1  o  Ar ,  x  €  {t,r},  and  an  integer  k,  0  <  k  <  n,  we  define  the 
following: 

•  in(a,  x,  k )  is  the  sequence  of  packets  received  by  Ax  during  7Tj 7t2  . . .  7rjt,  the  first  k  steps  of  a, 

•  out(a,x,k )  is  the  sequence  of  packets  sent  by  Ax  during  the  first  k  steps  of  a, 

•  staie(a,x,k)  is  the  state  of  Ax  in 

•  ext(a,x,k )  is  the  sequence  of  external  actions  of  Ax  daring  s  he  k  steps  of  a. 

Note  that  if  a  is  UX-consistent,  then  in(a,x,k)  is  a  subsequence  of  out(a,x,k  -  1). 

The  first  lemma  is  used  for  the  inductive  step  in  the  indur-ive  proof  of  Lemma  6.2.  Speaking 
informally,  we  use  it  to  “pump  up”  the  sequence  of  packets  waiting  in  the  channels,  as  illustrated 
in  Figure  4.  If  a  behavior  can  leave  the  system  so  that  in  transit  from  x  to  x  there  is  a  sequence 
of  packets  that  is  the  same  as  the  sequence  of  packets  delivered  across  that  channel  in  a  reference 
execution,  then  we  can  extend  the  behavior  by  crashing  the  destination  station  Ax  and  replaying 
that  stations’s  part  of  the  reference  execution,  and  this  can  leave  the  system  so  that  a  sequence 
of  packets  is  in  transit  in  the  other  direction,  equal  to  the  packets  sent  by  Ax  in  the  reference 
execution. 
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Lemma  6.1  Let  (Ar,A‘)  be  a  crashing  reliable  communication  protocol.  Let  a  =  So^iSi  •  ••nnSn 
be  a  finite  U  L -consistent  execution  of  A  =  A(  o  Ar  such  that  no  crash  events  occur  in  ttj 
Suppose  x  €  k  is  an  integer  with  0  <  k  <  n  >.n!  /?  is  a  finite  U L-consistent  behavior  of  A 

with  the  following  properties: 

1.  fi  can  leave  A  in  a  state  where  the  staS ■?  of.-.'  \  «4  und 

2.  the  sequence  iu(oc,x,k)  of  packets  is  in  transv.  fr-r  "i  £  »o  x  after  (3. 

Let  y  =  crash1  ext{a,x,k),  a  sequence  of  of  actions  <  Ax .  Then  we  have  the  following  properties 
of  Py: 

1.  Py  is  a  finite  V L-consistent  behavior  of  A, 

2.  py  can  leave  A  in  the  state  where  the  stele  of  A*  is  s,  and  the  state  of  Ax  is  state{ a,x,k), 
and 

3.  the  sequence  out(a,x,k)  of  packets  is  in  transit  from  x  to  x  after  py. 

Pvoof:  As  notation,  let  ql,  q2  etc  denote  the  packets  such  that  in(a,x,k)  =  qiq2  ...qt.  We  consider 
the  sequence  Py. 

Wow  Py\Ax  is  just  (p\Ax)crashx(ext(a,x,  k)).  Since  p\Ax  is  a  behavior  of  Ax,  crash x  is  an  input 
of  Ar  that  takes  Ax  to  its  initial  state,  and  ea :t(a,x,k)  is  the  behavior  of  an  execution  fragment  of 
Ax  that  starts  in  the  initial  state  of  Ax  and  ends  in  $tate(a,x,k),  we  deduce  that  Py\Ax  is  a  finite 
behavior  of  .4*  that  can  leave  Ax  in  state  state(a,x,k ). 

Also,  py\Ax  is  just  P\AX  which  is  a  finite  behavior  of  Ax  that  can  leave  Ax  in  state  s.  By 
Lemma  2.2,  Py  is  a  finite  behavior  of  A  that  can  leave  A  in  the  state  where  the  state  of  Ax  is  s 
and  the  state  of  Ax  is  state(a,x,k). 

Now  y\ULx'x  is  rcvpx>x(qi) . .  .rcvpx,x(qi)  by  construction.  Since  Q  is  in  transit  from  x  to  x 
after  /?,  we  see  by  Lemma  4.4  that  Py\ULx,x  is  f/L*,r-consistent.  Also,  y\ULx,x  consists  of  the 
sequence  of  sendpx-x  actions  in  717 7r2 .  ..7Tj.  By  Lemma  4.3,  Py\ULx’x  is  17Xx,I-consistent;  thus,  py 
is  U L-consistent.  Lemmas  4.3  and  4.2  together  imply  that  the  sequence  out(a,x,k)  of  packets  is 
in  transit  from  x  to  x  after  3y.  '  □ 

The  next  lemma  says  that  we  can  find  a  behavior  that  can  leave  the  protocol  in  the  same  state 
as  in  any  suitable  execution  a,  and  with  the  same  sequence  of  packets  as  those  sent  in  a  in  transit 
in  one  of  the  channels. 

Lemma  6.2  Let  (A(,  Ar)  be  a  crashing  reliable  communication  protocol.  Let  a  =  6'oTTjSj,  . . .  irnsn 
be  a  finite  U  L-consistent  execution  of  A  =  A{  o  Ar  such  that  no  crash  events  occur  in  ...7r„. 
Suppose  x  €  {t,r}  and  k  is  an  integer,  with  0  <  k  <  n  such  that  either  k  =  0  or  7r*  €  acts(Ax). 
Then  there  is  a  finite  sequence  fi  with  the  following  properties: 

1.  p  is  a  U  L-consistent  behavior  of  A, 

2.  P  can  leave  A  in  the  state  where  the  siate  of  Ax  is  state(a,x,k),  and  state  oj  Ax  is 
state(a,x,k),  and 

3.  the  sequence  out(a,x,k)  of  packets  is  in  transit  from  x  to  x  after  p. 
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Proof:  We  use  induction  on  k. 

The  base  case,  when  k  =  0,  is  trivial,  as  state(a,x,  0)  is  the  initial  state  of  Ax,  state(a,  x,0) 
is  the  initial  state  of  A*,  and  out(a,x,  0)  is  the  empty  sequence.  Thus,  we  may  take  p  to  be  the 
empty  sequence  of  actions. 

Now  we  suppose  that  k  >  0  and  we  assume  inductively  that  the  lemma  is  true  foi  all  smaller 
values  of  k. 

If  all  the  actions  ttj,  .  . . ,  ir*  are  in  acis(Ax ),  then  out{a,  xyk)  must  be  the  empty  sequence,  and 
therefore  we  deduce  that  in(n,  x,k)  is  also  empty.  Also,  state(a,  xyk)  must  be  equal  to  stair^c.,  x,0). 

Thus  the  empty  sequence  pi  is  a  finite  f/i-consis. ent  behavior  of  A,  Px  can  leave  A*  in  state 
state(a,x,k),  anc  ,n(ayx,k )  is  in  transit  from  x  to  x  after  Px.  We  can  therefore  apply  Lemma  (5.1 
to  obtain  P  as  an  extension  of  Pi. 

Otherwise,  let  j  be  the  greatest  integer  such  that  1  <  j  <  k  and  i rj  €  acts(.  ').  Notice  that  in 
fact  j  <  k ,  since  7rjt  6  acts{Ax).  Then  in(a,x,k )  is  a  subsequence  of  out(a,x,j ),  and  state(a,x,k } 
must  equal  state(a ,  x,j).  By  using  the  inductive  hypothesis,  we  get  a  finite  J/L-consisten*  behavior 
Pi  of  A,  where  px  can  leave  Ax  in  state  state(ayx,j),  and  the  sequence  out(a,x,j)  is  in  transit 
from  x  to  x  after  Pi.  By  Lemma  4.2,  the  subsequence  in(a,x,k)  is  also  in  transit  from  x  to  x  after 
Pi.  We  can  therefore  apply  Lemma  6.1  to  obtain  p  as  an  extension  of  PX.  □ 

We  can  now  use  Lemma  6.2  to  find  a  behavior  of  a  crashing  reliable  communication  protocol 
that  can  lead  to  states  identical  to  those  at  the  end  of  a  given  execution,  but  in  which  a  message 
has  been  sent  but  not  received. 

Lemma  6.3  Let  (A‘,  Ar)  be  a  crashing  reliable  communication  protocol.  Let  a  =  s0wxsi  ...xnsn 
be  a  finite  U L-consistent  execution  of  A  =  A1  o  Ar  such  that 

beh\oi)\RL  —  send{m)rcv{m). 

Then  there  is  a  finite  U L-consistent  execution,  dc,  of  A  with  the  following  properties: 

1.  a\RL  ends  in  send(m). 

2.  a  ends  in  n  state  in  which  the  state  of  A‘  is  state(cx,t,n )  and  the  state  of  Ar  is  state(a,r,n).  f 

Proof:  Let  k  d  mote  the  greatest  integer  less  than  or  equal  to  n  such  that  irk  €  acts{Ar).  That 
is,  k  is  the  inde  of  the  last  event  in  a  that  occurs  at  the  receiving  station  (since  rcv{m)  is  an 
action  of  Ar,  theie  is  some  k  satisfying  this  description).  Lemma  6.2  yields  a  finite  17L-consistent 
behavior  p'  of  A  with  the  following  properties-  p'  cr-n  leave  A  in  a  state  where  the  state  of  Ar  is 
state(a,r,k),  and  the  sequence  out(a,r,k)  of  packets  is  in  transit  from  r  to  t  after  P'. 

Since  the  sequence  in(a,j,n)  is  a  subsequence  of  out(oc,r,k),  Lemma  4.2  implies  that  in(a,tyri) 
is  in  transit  from  r  to  t  after  fi'. 

We  now  apply  Lemma  6.1  to  see  that,  for  7  =  crash* ext(a,t,n),  P' 7  is  a  finite  UL- consistent 
behavior  of  A,  P' 7  can  leave  A  in  the  state  where  the  state  of  Ar  is  state(a,r,k )  and  the  state  of 
A‘  is  state(a,t,n).  We  set  P  =  P' 7. 

We  now  note,  using  the  definition  of  k ,  that  state(a,  r ,  k )  =  state(a,  r,  n).  Since  7  is  crash* ext(a,  t,  n} 
and  ext{o..t ,n)\RL  =  {beh{oc)\A*)\RL  =  send(m),  we  have  that  P\RL  ends  in  crash* send(m).  Let 
a  be  any  finite  execution  of  A  with  beh(a)  =  /?,  that  ends  in  the  state  where  the  state  of  Ar  is 
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state(a,r,k )  and  the  state  of  A 1  is  state(cx,t,n).  We  know  that  such  q  must  exist,  because  (3  can 
leave  .4  in  the  indicated  state.  □ 


Finally  we  can  use  the  results  above  to  prove  our  impossibility  theorem. 

Theorem  6.4  There  is  no  crashing  reliable  communication  protocol  that  is  correct. 

Proof:  Assume  that  (A*,  Ar)  is  such  a  protocol  and  let  A  =  A*  o  Ar . 

First  we  claim  that  there  is  a  finite  UL- consistent  execution  a  =  so^si . . .  7r„sn  of  A  such  that 
beh{a)\RL  =  send(m)rcv(m).  The  existence  of  such  an  a  is  proved  by  starting  with  an  execution 
of  A  containing  the  single  action  send(m )  (which  exists  since  A  is  input-enabled),  and  then  using 
Lemma  5.1  to  get  a  fair  UL- consistent  execution  of  A  whose  behavior  contains  send(m )  and  no 
other  send  or  crash  events.  By  Theorem  5.2,  the  execution’s  behavior  must  be  RL-consistent. 
Since  the  action  send(m)  occurs  in  the  behavior  and  s  followed  by  no  crash  events,  property 
(RL4)  implies  that  an  rev  action  appears,  and  (RL2)  shows  that  the  action  must  be  rcv(m).  By 
(RLl),  it  must  follow  the  send(m)  action,  and  (RL3)  implies  that  no  other  rev  event  can  appear. 
We  obtain  the  finite  execution  a  by  truncating  this  fair  execution  after  the  state  following  the 
rcv{m )  event.  It  follows  that  beh(a)\RL  is  $endi'-n)rcv{m). 

Next  we  appeal  to  Lemma  6.3  to  obtai  n  a  finite  C/L-consistent  execution  a  =  .  ..7r 

of  A  with  the  following  properties:  beh(a)  ends  in  send(m ),  and  siate(a,x,k)  — state(a,x,n)  for 
x6{t,r}. 

By  Lemma  5.1,  there  is  a  fair  UL- consistent  execution  of  A  that  extends  a  and  contains  no 
additional  send  or  crash,  events.  The  projection  of  this  extension  on  the  reliable  layer  actions 
must  satisfy  (RL4).  Since  the  final  send(m)  of  a  occurs  in  the  e:  tension  in  an  unbounded  crash 
interval,  by  (RL4)  and  (RLl)  the  suffix  of  the  extension  after  a  contains  a  rev  event.  Let  a2  be  the 
subsequence  of  this  extension,  starting  at  the  action  following  the  end  of  dr  and  ending  at  the  state 
aftt "  the  first  following  rev  event.  We  see  that  a2| RL  =  rcu(m')  for  some  m'  (since  the  extension 
contains  no  send  or  crash  events),  and  that  ar2  is  £/X-consistent.  Also,  the  sequence  consisting  of 
the  final  state  of  a  followed  by  a2  is  an  execution  fragment  of  A. 

Since  q  and  dr  end  in  the  same  state  both  in  the  transmitter  and  the  receiver,  the  sequence 
ori  =  qa2  is  a  finite  execution  of  A.  It  is  f/A-consistent  since  each  of  a  and  a2  are  (using  Lemma 
4.1).  Now  beh(ai)\RL  =  send(m)rcv(m)rcv(m'). 

Now  we  use  Lemma  5.1  to  get  a  fair  l/L-consistent  extension  of  with  no  additional  send 
o’-  crash  events.  The  behavior  of  this  extension  contains  exactly  one  send  event  and  at  least  two 
rev  events.  Clearly  no  function  cause  can  be  found  for  this  behavior  that  satisfies  (RL3),  so  this 
behav' jr  is  not  liA-consistent.  By  Lemma  5.2,  this  contradicts  the  assumption  that  A  is  a  correct 
crashing  reliable  communication  protocol.  □ 
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